Journal of Internet Computing and Services (인터넷정보학회논문지)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

Study on High-speed Cyber Penetration Attack Analysis Technology based on Static Feature Base Applicable to Endpoints

Endpoint에 적용 가능한 정적 feature 기반 고속의 사이버 침투공격 분석기술 연구

  • Hwang, Jun-ho (Department of Information Security, Hoseo University) ;
  • Hwang, Seon-bin (Department of Information Security, Hoseo University) ;
  • Kim, Su-jeong (Department of Information Security, Hoseo University) ;
  • Lee, Tae-jin (Department of Information Security, Hoseo University)
  • Received : 2018.05.17
  • Accepted : 2018.08.02
  • Published : 2018.10.31
Download PDF
⟨ Previous Next ⟩

Abstract

Cyber penetration attacks can not only damage cyber space but can attack entire infrastructure such as electricity, gas, water, and nuclear power, which can cause enormous damage to the lives of the people. Also, cyber space has already been defined as the fifth battlefield, and strategic responses are very important. Most of recent cyber attacks are caused by malicious code, and since the number is more than 1.6 million per day, automated analysis technology to cope with a large amount of malicious code is very important. However, it is difficult to deal with malicious code encryption, obfuscation and packing, and the dynamic analysis technique is not limited to the performance requirements of dynamic analysis but also to the virtual There is a limit in coping with environment avoiding technology. In this paper, we propose a machine learning based malicious code analysis technique which improve the weakness of the detection performance of existing analysis technology while maintaining the light and high-speed analysis performance applicable to commercial endpoints. The results of this study show that 99.13% accuracy, 99.26% precision and 99.09% recall analysis performance of 71,000 normal file and malicious code in commercial environment and analysis time in PC environment can be analyzed more than 5 per second, and it can be operated independently in the endpoint environment and it is considered that it works in complementary form in operation in conjunction with existing antivirus technology and static and dynamic analysis technology. It is also expected to be used as a core element of EDR technology and malware variant analysis.

사이버 침해공격은 사이버 공간에서만 피해를 입히는 것이 아니라 전기 가스 수도 원자력 등 인프라 시설 전체를 공격할 수 있기에 국민의 생활전반에 엄청난 피해를 줄 수 있다. 또한, 사이버공간은 이미 제5의 전장으로 규정되어 있는 등 전략적 대응이 매우 중요하다. 최근의 사이버 공격은 대부분 악성코드를 통해 발생하고 있으며, 그 숫자는 일평균 160만개를 넘어서고 있기 때문에 대량의 악성코드에 대응하기 위한 자동화된 분석기술은 매우 중요한 의미를 가지고 있다. 이에 자동으로 분석 가능한 기술이 다양하게 연구되어 왔으나 기존 악성코드 정적 분석기술은 악성코드 암호화와 난독화, 패킹 등에 대응하는데 어려움이 있고 동적 분석기술은 동적 분석의 성능요건 뿐 아니라 logic bomb 등을 포함한 가상환경 회피기술 등을 대응하는데 한계가 있다. 본 논문에서는 상용 환경의 Endpoint에 적용 가능한 수준의 가볍고 고속의 분석성능을 유지하면서 기존 분석기술의 탐지성능 단점을 개선한 머신러닝 기반 악성코드 분석기술을 제안한다. 본 연구 결과물은 상용 환경의 71,000개 정상파일과 악성코드를 대상으로 99.13%의 accuracy, 99.26%의 precision, 99.09%의 recall 분석 성능과, PC 환경에서의 분석시간도 초당 5개 이상 분석 가능한 것으로 측정 되었고 Endpoint 환경에서 독립적으로도 운영 가능하며 기존의 안티바이러스 기술 및 정적, 동적 분석 기술과 연계하여 동작 시에 상호 보완적인 형태로 동작할 것으로 판단된다. 또한, 악성코드 변종 분석 및 최근 화두 되고 있는 EDR 기술의 핵심요소로 활용 가능할 것으로 기대된다.

Keywords

References

  1. D. Keragala, "Detecting Malware and Sandbox Evasion Techniques", SANS Institute InfoSec Reading Room, 2016. https://scholar.google.co.kr/scholar?hl=ko&as_sdt=2005&sciodt=0%2C5&cites=11695446247611230975&scipsc=&q=Detecting+Malware+and+Sandbox+Evasion+Techniques&btnG=
  2. M. Asha. Jerlin, C. Jayakumar, "A Dynamic Malware Analysis for Windows Platform - A Survey", Indian Journal of Science and Technology, Vol. 8, No. 27, pp.1-5, 2015. https://doi.org/10.17485/ijst/2015/v8i27/81172
  3. H.V. Nath, B. M. Mehtr, "Static Malware Analysis Using Machine Learning Methods", Communication in Computer and Information Science, pp.440-450, 2014. https://doi.org/10.1007/978-3-642-54525-2_39
  4. N. Rafiq, Y. Mao, "Improving heuristics. Virus Bulletin Conference", pp.9-12, 2008. https://www.virusbulletin.com/virusbulletin/2008/08/improving-heuristics
  5. A. Stewart, "Malware Dynamic Behavior Classification : SVM-HMM applied to Malware API sequencing", Whiting School of Engineering(Johns Hopkins University), 2014. https://scholar.google.co.kr/scholar?hl=ko&as_sdt=0%2C5&q=Malware+Dynamic+Behavior+Classification+%3A+SVM-HMM+applied+to+Malware+API+sequencing.&btnG=
  6. R. Veeramani, R. Ni tin, "Windows API based Malware Detection and Framework Analysis", International Journal of Scientific & Engineering Research, Vol. 3, No. 3, 2012. https://scholar.google.co.kr/scholar?hl=ko&as_sdt=0%2C5&q=Windows+API+based+Malware+Detection+and+Framework+Analysis&btnG=
  7. U. Baldangombo, N. Jambaljav, SJ. Horng, "A Static Malware Detection System Using Data Mining Methods", Cornell University, 2013. https://scholar.google.co.kr/scholar?hl=ko&as_sdt=0%2C5&q=A+Static+Malware+Detection+System+Using+Data+Mining+Methods&btnG=
  8. D. Bilar, "Statistical structures : Fingerprinting Malware for Classification and Analysis", Proceedings of Black Hat Federal, 2006. https://scholar.google.co.kr/scholar?hl=ko&as_sdt=0%2C5&q=Statistical+structures+%3A+Fingerprinting+Malware+for+Classification+and+Analysis&btnG=
  9. C. Burgess, F. Kurugollu, S. Sezer, K. McLaughlin, "Detecting Packed Executables Using Steganalysis", Visual Information Processing(5th European Workshop (EUVIP), pp.1-5, 2014. https://doi.org/10.1109/euvip.2014.7018361
  10. S. Gupta, H. Sharma, S. Kaur, "Malware Characterization using Windows API Call Sequences", International Conference on Security, Privacy, and Applied Cryptography Engineering", pp.271-280, 2016. https://doi.org/10.1007/978-3-319-49445-6_15
  11. L. Hyo-young, K. Wan-ju, N. Hong-jun, L. Jae-sung, "Research on Malware Classification with Network Activity for Classification and Attack Prediction of Attack Groups", The Journal of Korean Institute of Communications and Information Science, Vol. 42, No. 1, pp.193-204, 2017. https://doi.org/10.7840/kics.2017.42.1.193
  12. A. Javaid, Q. Niyaz, W. Sun, M. Alam, "A Deep Learning Approach for Network Intrusion Detection System", Proceeding of the 9th EAI International Conference on Bio-inspired Information and Communications Technologies, pp.21-26, 2016. https://doi.org/10.4108/eai.3-12-2015.2262516
  13. L. Etienne, "Malicious Traffic Detection in Local Networks with Snort", EPFL-SSC, pp.1-34, 2009. https://scholar.google.co.kr/scholar?hl=ko&as_sdt=0%2C5&q=Malicious+Traffic+Detection+in+Local+Networks+with+Snort&btnG=
  14. C. Wang, J. Pang, R. Zhao, X. Liu, "Using API Sequence and Bayes Algorithm to Detect Suspicious Behavior", International Conference on Communication Software and Networks, pp.544-548, 2009. https://doi.org/10.1109/iccsn.2009.60
  15. P. Vinod, R. Jaipur, V. Laxmi, M. Gaur, "Survey on Malware Detection Methods(3rd Hackers)", Workshop on Computer and Internet Security, Department of Computer Science and Engineering, Prabhu Goel Research Centre for Computer & Internet Security, IIT, Kanpur, pp.74-79, 2009. https://scholar.google.co.kr/scholar?hl=ko&as_sdt=0%2C5&q=Survey+on+Malware+Detection+Methods&btnG=
  16. P. Natani, D. Vidyarthi, "Malware Detection Using API Function Frequency with Ensemble based Classifier", Communications in Computer and Information Science, pp.378-388, 2013. https://doi.org/10.1007/978-3-642-40576-1_37
  17. D. Ucci, L. Aniello, R. Baldoni, "Survey on the Usage of Machine Learning Techniques for Malware Analysis", ACM, Vol. 1, No. 1, 2017. https://scholar.google.co.kr/scholar?hl=ko&as_sdt=0%2C5&q=Survey+on+the+Usage+of+Machine+Learning+Techniques+for+Malware+Analysis&btnG=
  18. G. Liang, J. Pang, C. Dai, "A Behavior-Based Malware Variant Classification Technique", International Journal of Information and Education Technology, Vol. 6, No. 4, pp.291, 2016. https://doi.org/10.7763/ijiet.2016.v6.702
  19. J. Sexton, C. Storlie, B. Anderson, "Subroutine based Detection of APT Malware", Journal of Computer Virology and Hacking Techniques, Vol. 12, No. 4, pp.225-233, 2015. https://doi.org/10.1007/s11416-015-0258-7
  20. R. Perdisci, W. Lee, N. Feamster, "Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces", USENIX NSDI, 2010. https://scholar.google.co.kr/scholar?hl=ko&as_sdt=0%2C5&q=Behavioral+Clustering+of+HTTP-Based+Malware+and+Signature+Generation+Using+Malicious+Network+Traces&btnG=
  21. G. Gu, R. Perdisci, J. Zhang, W. Lee, "Botminer : clustering analysis of network traffic for protocol- and structure independent botnet detection", USENIX Security 2008. https://scholar.google.co.kr/scholar?hl=ko&as_sdt=0%2C5&q=Botminer+%3A+clustering+analysis+of+network+traffic+for+protocol-+and+structure+independent+botnet+detection&btnG=
  22. Tae-woo. K, Cae-lk. C, Man-hyun. C, Jong-sub. M, "Malware Detection Via Hybrid Analysis for API Calls", Journal of the Korea Institute of Information Security and Cryptology, 2007. https://scholar.google.co.kr/scholar?hl=ko&as_sdt=0%2C5&q=Malware+Detection+Via+Hybrid+Analysis+for+API+Calls&btnG=
  23. G. Berger-Sabbatel, A. Duda, "Classification of Malware Network Activity", Multimedia Communications Services and Security, pp.24-35, 2012. https://doi.org/10.1007/978-3-642-30721-8_3
  24. M. Zubair. Rafique, P. Chen, C. Huygens, W. Joosen, "Evolutionary Algorithms for Classification of Malware Families through Different Network Behaviors", Genetic and Evolutionary Computation Conference, pp.1167-1174, 2014. https://doi.org/10.1145/2576768.2598238
  25. K. Iwamoto, K. Wasaki, "Malware Classification based on Extracted API Sequences using Static Analysis", Internet Engineering Conference, pp.31-38, 2012. https://doi.org/10.1145/2402599.2402604
  26. I. Ahmed, L. Kyung-suk, "Classification of Packet Contents for Malware Detection", Journal in Computer Virology, Vol. 7, No. 4, pp.279-295, 2011. https://doi.org/10.1007/s11416-011-0156-6